On Mon, Apr 26, 2004, Joseph Bruni wrote: > The man page for "SSL_CTX_use_certificate_chain_file" states: > > SSL_CTX_use_certificate_chain_file() loads a certificate chain from > file into ctx. The certificates must be in PEM format and must be > sorted starting with the certificate to the highest level (root CA). > There is no corresponding function working on a single SSL object. > > My PKI hierarchy consists of three layers, a self-signed root CA that > is owned by the corporate security group, a sub-CA that is responsible > for distributing end-user certificates, and end users who receive > certificates from the sub-CA. > > The server certificate is issued by the root CA. > > User certificates are issued by the sub-CA. > > The root certificate is loaded into the CTX using > SSL_CTX_load_verify_locations() on both client and server applications. > > Now comes the question: > > o If I build a certificate chain file as described in the man page > with all three certificates (user,sub-CA,root-CA), handshake fails. > > o If a build a certificate chain file with only two certificates > (user,sub-CA), handshake succeeds. > > Why? Is this a bug? Or is there something more subtle going on?
What handshake error and specifically the verify error do you get server side? If its an error stating it cannot load an issuer certificate then you need to include the sub-CA on the client side either by placing it in the location of SSL_CTX_load_verify_locations() or using SSL_CTX_use_chain_file(). If the error says something about invalid purposes then you need to use -signCA (or equivalent) to create the sub-CA. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
